SpotBugs Report

Project Information

Project: fastjson

SpotBugs version: 4.8.3

Code analyzed:



Metrics

31858 lines of code analyzed, in 273 classes, in 18 packages.

Metric Total Density*
High Priority Warnings 31 0.97
Medium Priority Warnings 243 7.63
Total Warnings 274 8.60

(* Defects per Thousand lines of non-commenting source statements)



Contents

Summary

Warning Type Number
Bad practice Warnings 44
Correctness Warnings 7
Malicious code vulnerability Warnings 155
Multithreaded correctness Warnings 17
Performance Warnings 11
Dodgy code Warnings 40
Total 274

Warnings

Click on a warning row to see full context information.

Bad practice Warnings

Code Warning
CN com.alibaba.fastjson.JSONArray.clone() does not call super.clone()
CN com.alibaba.fastjson.JSONObject.clone() does not call super.clone()
CT Exception thrown in class com.alibaba.fastjson.JSONArray at new com.alibaba.fastjson.JSONArray(List) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.JSONObject at new com.alibaba.fastjson.JSONObject(Map) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.JSONPath at new com.alibaba.fastjson.JSONPath(String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.JSONPath at new com.alibaba.fastjson.JSONPath(String, SerializeConfig, ParserConfig, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.JSONPath at new com.alibaba.fastjson.JSONPath(String, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.JSONPath$PropertyFilter at new com.alibaba.fastjson.JSONPath$PropertyFilter(String, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.JSONPath$ValueSegment at new com.alibaba.fastjson.JSONPath$ValueSegment(String, boolean, Object, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.JSONValidator$ReaderValidator at new com.alibaba.fastjson.JSONValidator$ReaderValidator(Reader) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.JSONValidator$UTF8InputStreamValidator at new com.alibaba.fastjson.JSONValidator$UTF8InputStreamValidator(InputStream) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.asm.ClassReader at new com.alibaba.fastjson.asm.ClassReader(InputStream, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.serializer.FieldSerializer at new com.alibaba.fastjson.serializer.FieldSerializer(Class, FieldInfo) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.support.spring.JSONPResponseBodyAdvice at new com.alibaba.fastjson.support.spring.JSONPResponseBodyAdvice() will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.util.AntiCollisionHashMap at new com.alibaba.fastjson.util.AntiCollisionHashMap(int) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.util.AntiCollisionHashMap at new com.alibaba.fastjson.util.AntiCollisionHashMap(int, float) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.util.AntiCollisionHashMap at new com.alibaba.fastjson.util.AntiCollisionHashMap(Map) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.util.FieldInfo at new com.alibaba.fastjson.util.FieldInfo(String, Method, Field, Class, Type, int, int, int, JSONField, JSONField, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.util.FieldInfo at new com.alibaba.fastjson.util.FieldInfo(String, Method, Field, Class, Type, int, int, int, JSONField, JSONField, String, Map) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
CT Exception thrown in class com.alibaba.fastjson.util.GenericArrayTypeImpl at new com.alibaba.fastjson.util.GenericArrayTypeImpl(Type) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.
DMI Random object created and used only once in new com.alibaba.fastjson.util.AntiCollisionHashMap()
DMI Random object created and used only once in new com.alibaba.fastjson.util.AntiCollisionHashMap(int, float)
ES Comparison of String objects using == or != in com.alibaba.fastjson.parser.DefaultJSONParser.parse(PropertyProcessable, Object)
ES Comparison of String objects using == or != in com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.deserialze(DefaultJSONParser, Type, Object, Object, int, int[])
ES Comparison of String parameter using == or != in com.alibaba.fastjson.parser.deserializer.Jdk8DateCodec.write(SerializeWriter, TemporalAccessor, String)
ES Comparison of String objects using == or != in com.alibaba.fastjson.parser.deserializer.MapDeserializer.parseMap(DefaultJSONParser, Map, Type, Object, int)
ES Comparison of String objects using == or != in com.alibaba.fastjson.parser.deserializer.SqlDateDeserializer.castTimestamp(DefaultJSONParser, Type, Object, Object)
ES Comparison of String objects using == or != in com.alibaba.fastjson.parser.deserializer.StackTraceElementDeserializer.deserialze(DefaultJSONParser, Type, Object)
Eq com.alibaba.fastjson.serializer.FieldSerializer defines compareTo(FieldSerializer) and uses Object.equals()
Eq com.alibaba.fastjson.util.FieldInfo defines compareTo(FieldInfo) and uses Object.equals()
NP com.alibaba.fastjson.JSONArray.getBoolean(int) has Boolean return type and returns explicit null
NP com.alibaba.fastjson.JSONObject.getBoolean(String) has Boolean return type and returns explicit null
NP com.alibaba.fastjson.util.TypeUtils.castToBoolean(Object) has Boolean return type and returns explicit null
PA Primitive field com.alibaba.fastjson.JSON.DEFAULT_GENERATE_FEATURE is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility.
PA Primitive field com.alibaba.fastjson.JSON.DEFAULT_PARSER_FEATURE is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility.
PA Primitive field com.alibaba.fastjson.JSON.DEFAULT_TYPE_KEY is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility.
PA Primitive field com.alibaba.fastjson.asm.ByteVector.data is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility.
PA Primitive field com.alibaba.fastjson.asm.ByteVector.length is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility.
PA Primitive field com.alibaba.fastjson.parser.DefaultJSONParser.resolveStatus is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility.
PA Primitive field com.alibaba.fastjson.parser.JSONLexerBase.matchStat is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility.
PA Primitive field com.alibaba.fastjson.serializer.SerializeConfig.propertyNamingStrategy is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility.
RC Suspicious comparison of Boolean references in com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.createInstance(Map, ParserConfig)
RC Suspicious comparison of Boolean references in com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.createInstance(Map, ParserConfig)
Se com.alibaba.fastjson.util.TypeUtils$MethodInheritanceComparator implements Comparator but not Serializable

Correctness Warnings

Code Warning
NP Possible null pointer dereference of simpleDateFormat in com.alibaba.fastjson.parser.deserializer.AbstractDateDeserializer.deserialze(DefaultJSONParser, Type, Object, String, int) on exception path
NP Possible null pointer dereference of fieldInfo in com.alibaba.fastjson.serializer.JavaBeanSerializer.getFieldValuesMap(Object)
NP Possible null pointer dereference of TypeUtils.oracleDateMethod in com.alibaba.fastjson.util.TypeUtils.castToDate(Object, String)
NP Possible null pointer dereference of TypeUtils.oracleTimestampMethod in com.alibaba.fastjson.util.TypeUtils.castToDate(Object, String)
RCN Nullcheck of fieldInfoList at line 1509 of value previously dereferenced in com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.createInstance(Map, ParserConfig)
RpC Repeated conditional test in com.alibaba.fastjson.JSONPath$JSONPathParser.parseArrayAccessFilter(boolean)
USELESS_STRING Invocation of toString on paramNames in com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.deserialze(DefaultJSONParser, Type, Object, Object, int, int[])

Malicious code vulnerability Warnings

Code Warning
DP new com.alibaba.fastjson.parser.deserializer.ASMDeserializerFactory(ClassLoader) creates a com.alibaba.fastjson.util.ASMClassLoader classloader, which should be performed within a doPrivileged block
DP new com.alibaba.fastjson.serializer.ASMSerializerFactory() creates a com.alibaba.fastjson.util.ASMClassLoader classloader, which should be performed within a doPrivileged block
EI com.alibaba.fastjson.JSONObject.getInnerMap() may expose internal representation by returning JSONObject.map
EI com.alibaba.fastjson.JSONPObject.getParameters() may expose internal representation by returning JSONPObject.parameters
EI com.alibaba.fastjson.parser.DefaultJSONParser.getConfig() may expose internal representation by returning DefaultJSONParser.config
EI com.alibaba.fastjson.parser.DefaultJSONParser.getDateFormat() may expose internal representation by returning DefaultJSONParser.dateFormat
EI com.alibaba.fastjson.parser.DefaultJSONParser.getExtraProcessors() may expose internal representation by returning DefaultJSONParser.extraProcessors
EI com.alibaba.fastjson.parser.DefaultJSONParser.getExtraTypeProviders() may expose internal representation by returning DefaultJSONParser.extraTypeProviders
EI com.alibaba.fastjson.parser.DefaultJSONParser.getResolveTaskList() may expose internal representation by returning DefaultJSONParser.resolveTaskList
EI com.alibaba.fastjson.parser.JSONLexerBase.getCalendar() may expose internal representation by returning JSONLexerBase.calendar
EI com.alibaba.fastjson.parser.JSONLexerBase.getTimeZone() may expose internal representation by returning JSONLexerBase.timeZone
EI com.alibaba.fastjson.parser.JSONReaderScanner.sub_chars(int, int) may expose internal representation by returning JSONReaderScanner.buf
EI com.alibaba.fastjson.parser.JSONScanner.sub_chars(int, int) may expose internal representation by returning JSONLexerBase.sbuf
EI com.alibaba.fastjson.parser.ParserConfig.getDefaultClassLoader() may expose internal representation by returning ParserConfig.defaultClassLoader
EI com.alibaba.fastjson.parser.ParserConfig.getDerializers() may expose internal representation by returning ParserConfig.deserializers
EI com.alibaba.fastjson.parser.ParserConfig.getDeserializers() may expose internal representation by returning ParserConfig.deserializers
EI com.alibaba.fastjson.serializer.JSONSerializer.getDateFormat() may expose internal representation by returning JSONSerializer.dateFormat
EI com.alibaba.fastjson.serializer.JSONSerializer.getMapping() may expose internal representation by returning JSONSerializer.config
EI com.alibaba.fastjson.serializer.SerializeFilterable.getAfterFilters() may expose internal representation by returning SerializeFilterable.afterFilters
EI com.alibaba.fastjson.serializer.SerializeFilterable.getBeforeFilters() may expose internal representation by returning SerializeFilterable.beforeFilters
EI com.alibaba.fastjson.serializer.SerializeFilterable.getContextValueFilters() may expose internal representation by returning SerializeFilterable.contextValueFilters
EI com.alibaba.fastjson.serializer.SerializeFilterable.getLabelFilters() may expose internal representation by returning SerializeFilterable.labelFilters
EI com.alibaba.fastjson.serializer.SerializeFilterable.getNameFilters() may expose internal representation by returning SerializeFilterable.nameFilters
EI com.alibaba.fastjson.serializer.SerializeFilterable.getPropertyFilters() may expose internal representation by returning SerializeFilterable.propertyFilters
EI com.alibaba.fastjson.serializer.SerializeFilterable.getPropertyPreFilters() may expose internal representation by returning SerializeFilterable.propertyPreFilters
EI com.alibaba.fastjson.serializer.SerializeFilterable.getValueFilters() may expose internal representation by returning SerializeFilterable.valueFilters
EI com.alibaba.fastjson.serializer.SimplePropertyPreFilter.getExcludes() may expose internal representation by returning SimplePropertyPreFilter.excludes
EI com.alibaba.fastjson.serializer.SimplePropertyPreFilter.getIncludes() may expose internal representation by returning SimplePropertyPreFilter.includes
EI com.alibaba.fastjson.support.config.FastJsonConfig.getClassSerializeFilters() may expose internal representation by returning FastJsonConfig.classSerializeFilters
EI com.alibaba.fastjson.support.config.FastJsonConfig.getFeatures() may expose internal representation by returning FastJsonConfig.features
EI com.alibaba.fastjson.support.config.FastJsonConfig.getParserConfig() may expose internal representation by returning FastJsonConfig.parserConfig
EI com.alibaba.fastjson.support.config.FastJsonConfig.getSerializeConfig() may expose internal representation by returning FastJsonConfig.serializeConfig
EI com.alibaba.fastjson.support.config.FastJsonConfig.getSerializeFilters() may expose internal representation by returning FastJsonConfig.serializeFilters
EI com.alibaba.fastjson.support.config.FastJsonConfig.getSerializerFeatures() may expose internal representation by returning FastJsonConfig.serializerFeatures
EI com.alibaba.fastjson.support.geo.Feature.getGeometry() may expose internal representation by returning Feature.geometry
EI com.alibaba.fastjson.support.geo.Feature.getProperties() may expose internal representation by returning Feature.properties
EI com.alibaba.fastjson.support.geo.FeatureCollection.getFeatures() may expose internal representation by returning FeatureCollection.features
EI com.alibaba.fastjson.support.geo.Geometry.getBbox() may expose internal representation by returning Geometry.bbox
EI com.alibaba.fastjson.support.geo.GeometryCollection.getGeometries() may expose internal representation by returning GeometryCollection.geometries
EI com.alibaba.fastjson.support.geo.LineString.getCoordinates() may expose internal representation by returning LineString.coordinates
EI com.alibaba.fastjson.support.geo.MultiLineString.getCoordinates() may expose internal representation by returning MultiLineString.coordinates
EI com.alibaba.fastjson.support.geo.MultiPoint.getCoordinates() may expose internal representation by returning MultiPoint.coordinates
EI com.alibaba.fastjson.support.geo.MultiPolygon.getCoordinates() may expose internal representation by returning MultiPolygon.coordinates
EI com.alibaba.fastjson.support.geo.Polygon.getCoordinates() may expose internal representation by returning Polygon.coordinates
EI com.alibaba.fastjson.support.jaxrs.FastJsonProvider.getFastJsonConfig() may expose internal representation by returning FastJsonProvider.fastJsonConfig
EI com.alibaba.fastjson.support.retrofit.Retrofit2ConverterFactory.getFastJsonConfig() may expose internal representation by returning Retrofit2ConverterFactory.fastJsonConfig
EI com.alibaba.fastjson.support.spring.FastJsonContainer.getFilters() may expose internal representation by returning FastJsonContainer.filters
EI com.alibaba.fastjson.support.spring.FastJsonHttpMessageConverter.getFastJsonConfig() may expose internal representation by returning FastJsonHttpMessageConverter.fastJsonConfig
EI com.alibaba.fastjson.support.spring.FastJsonJsonView.getFastJsonConfig() may expose internal representation by returning FastJsonJsonView.fastJsonConfig
EI com.alibaba.fastjson.support.spring.FastJsonRedisSerializer.getFastJsonConfig() may expose internal representation by returning FastJsonRedisSerializer.fastJsonConfig
EI com.alibaba.fastjson.support.spring.PropertyPreFilters.getFilters() may expose internal representation by returning PropertyPreFilters.filters
EI com.alibaba.fastjson.support.spring.messaging.MappingFastJsonMessageConverter.getFastJsonConfig() may expose internal representation by returning MappingFastJsonMessageConverter.fastJsonConfig
EI com.alibaba.fastjson.util.ParameterizedTypeImpl.getActualTypeArguments() may expose internal representation by returning ParameterizedTypeImpl.actualTypeArguments
EI2 new com.alibaba.fastjson.JSONArray(List) may expose internal representation by storing an externally mutable object into JSONArray.list
EI2 new com.alibaba.fastjson.JSONObject(Map) may expose internal representation by storing an externally mutable object into JSONObject.map
EI2 new com.alibaba.fastjson.JSONPath(String, SerializeConfig, ParserConfig, boolean) may expose internal representation by storing an externally mutable object into JSONPath.parserConfig
EI2 new com.alibaba.fastjson.JSONPath(String, SerializeConfig, ParserConfig, boolean) may expose internal representation by storing an externally mutable object into JSONPath.serializeConfig
EI2 new com.alibaba.fastjson.JSONReader(DefaultJSONParser) may expose internal representation by storing an externally mutable object into JSONReader.parser
EI2 new com.alibaba.fastjson.asm.MethodWriter(ClassWriter, int, String, String, String, String[]) may expose internal representation by storing an externally mutable object into MethodWriter.cw
EI2 new com.alibaba.fastjson.asm.TypeCollector(String, Class[]) may expose internal representation by storing an externally mutable object into TypeCollector.parameterTypes
EI2 new com.alibaba.fastjson.parser.DefaultJSONParser(Object, JSONLexer, ParserConfig) may expose internal representation by storing an externally mutable object into DefaultJSONParser.config
EI2 com.alibaba.fastjson.parser.DefaultJSONParser.setConfig(ParserConfig) may expose internal representation by storing an externally mutable object into DefaultJSONParser.config
EI2 com.alibaba.fastjson.parser.DefaultJSONParser.setDateFormat(DateFormat) may expose internal representation by storing an externally mutable object into DefaultJSONParser.dateFormat
EI2 com.alibaba.fastjson.parser.JSONLexerBase.setTimeZone(TimeZone) may expose internal representation by storing an externally mutable object into JSONLexerBase.timeZone
EI2 com.alibaba.fastjson.parser.ParserConfig.setDefaultClassLoader(ClassLoader) may expose internal representation by storing an externally mutable object into ParserConfig.defaultClassLoader
EI2 new com.alibaba.fastjson.parser.deserializer.EnumCreatorDeserializer(Method) may expose internal representation by storing an externally mutable object into EnumCreatorDeserializer.creator
EI2 new com.alibaba.fastjson.parser.deserializer.ResolveFieldDeserializer(DefaultJSONParser, List, int) may expose internal representation by storing an externally mutable object into ResolveFieldDeserializer.list
EI2 new com.alibaba.fastjson.parser.deserializer.ResolveFieldDeserializer(DefaultJSONParser, List, int) may expose internal representation by storing an externally mutable object into ResolveFieldDeserializer.parser
EI2 new com.alibaba.fastjson.parser.deserializer.ResolveFieldDeserializer(Collection) may expose internal representation by storing an externally mutable object into ResolveFieldDeserializer.collection
EI2 new com.alibaba.fastjson.parser.deserializer.ResolveFieldDeserializer(Map, Object) may expose internal representation by storing an externally mutable object into ResolveFieldDeserializer.map
EI2 new com.alibaba.fastjson.serializer.ArraySerializer(Class, ObjectSerializer) may expose internal representation by storing an externally mutable object into ArraySerializer.compObjectSerializer
EI2 new com.alibaba.fastjson.serializer.BeanContext(Class, FieldInfo) may expose internal representation by storing an externally mutable object into BeanContext.fieldInfo
EI2 new com.alibaba.fastjson.serializer.DoubleSerializer(DecimalFormat) may expose internal representation by storing an externally mutable object into DoubleSerializer.decimalFormat
EI2 new com.alibaba.fastjson.serializer.FloatCodec(DecimalFormat) may expose internal representation by storing an externally mutable object into FloatCodec.decimalFormat
EI2 new com.alibaba.fastjson.serializer.JSONSerializer(SerializeWriter, SerializeConfig) may expose internal representation by storing an externally mutable object into JSONSerializer.config
EI2 com.alibaba.fastjson.serializer.JSONSerializer.setDateFormat(DateFormat) may expose internal representation by storing an externally mutable object into JSONSerializer.dateFormat
EI2 new com.alibaba.fastjson.serializer.SerializeBeanInfo(Class, JSONType, String, String, int, FieldInfo[], FieldInfo[]) may expose internal representation by storing an externally mutable object into SerializeBeanInfo.fields
EI2 new com.alibaba.fastjson.serializer.SerializeBeanInfo(Class, JSONType, String, String, int, FieldInfo[], FieldInfo[]) may expose internal representation by storing an externally mutable object into SerializeBeanInfo.sortedFields
EI2 new com.alibaba.fastjson.serializer.SerializeWriter(Writer, int) may expose internal representation by storing an externally mutable object into SerializeWriter.writer
EI2 new com.alibaba.fastjson.serializer.SerializeWriter(Writer, int, SerializerFeature[]) may expose internal representation by storing an externally mutable object into SerializeWriter.writer
EI2 com.alibaba.fastjson.support.config.FastJsonConfig.setClassSerializeFilters(Map) may expose internal representation by storing an externally mutable object into FastJsonConfig.classSerializeFilters
EI2 com.alibaba.fastjson.support.config.FastJsonConfig.setParserConfig(ParserConfig) may expose internal representation by storing an externally mutable object into FastJsonConfig.parserConfig
EI2 com.alibaba.fastjson.support.config.FastJsonConfig.setSerializeConfig(SerializeConfig) may expose internal representation by storing an externally mutable object into FastJsonConfig.serializeConfig
EI2 com.alibaba.fastjson.support.geo.Feature.setGeometry(Geometry) may expose internal representation by storing an externally mutable object into Feature.geometry
EI2 com.alibaba.fastjson.support.geo.Feature.setProperties(Map) may expose internal representation by storing an externally mutable object into Feature.properties
EI2 com.alibaba.fastjson.support.geo.Geometry.setBbox(double[]) may expose internal representation by storing an externally mutable object into Geometry.bbox
EI2 com.alibaba.fastjson.support.geo.LineString.setCoordinates(double[][]) may expose internal representation by storing an externally mutable object into LineString.coordinates
EI2 com.alibaba.fastjson.support.geo.MultiLineString.setCoordinates(double[][][]) may expose internal representation by storing an externally mutable object into MultiLineString.coordinates
EI2 com.alibaba.fastjson.support.geo.MultiPoint.setCoordinates(double[][]) may expose internal representation by storing an externally mutable object into MultiPoint.coordinates
EI2 com.alibaba.fastjson.support.geo.MultiPolygon.setCoordinates(double[][][][]) may expose internal representation by storing an externally mutable object into MultiPolygon.coordinates
EI2 com.alibaba.fastjson.support.geo.Polygon.setCoordinates(double[][][]) may expose internal representation by storing an externally mutable object into Polygon.coordinates
EI2 new com.alibaba.fastjson.support.jaxrs.FastJsonProvider(Class[]) may expose internal representation by storing an externally mutable object into FastJsonProvider.clazzes
EI2 com.alibaba.fastjson.support.jaxrs.FastJsonProvider.setFastJsonConfig(FastJsonConfig) may expose internal representation by storing an externally mutable object into FastJsonProvider.fastJsonConfig
EI2 new com.alibaba.fastjson.support.retrofit.Retrofit2ConverterFactory(FastJsonConfig) may expose internal representation by storing an externally mutable object into Retrofit2ConverterFactory.fastJsonConfig
EI2 com.alibaba.fastjson.support.retrofit.Retrofit2ConverterFactory.setFastJsonConfig(FastJsonConfig) may expose internal representation by storing an externally mutable object into Retrofit2ConverterFactory.fastJsonConfig
EI2 com.alibaba.fastjson.support.spring.FastJsonContainer.setFilters(PropertyPreFilters) may expose internal representation by storing an externally mutable object into FastJsonContainer.filters
EI2 com.alibaba.fastjson.support.spring.FastJsonHttpMessageConverter.setFastJsonConfig(FastJsonConfig) may expose internal representation by storing an externally mutable object into FastJsonHttpMessageConverter.fastJsonConfig
EI2 com.alibaba.fastjson.support.spring.FastJsonJsonView.setFastJsonConfig(FastJsonConfig) may expose internal representation by storing an externally mutable object into FastJsonJsonView.fastJsonConfig
EI2 com.alibaba.fastjson.support.spring.FastJsonJsonView.setRenderedAttributes(Set) may expose internal representation by storing an externally mutable object into FastJsonJsonView.renderedAttributes
EI2 com.alibaba.fastjson.support.spring.FastJsonRedisSerializer.setFastJsonConfig(FastJsonConfig) may expose internal representation by storing an externally mutable object into FastJsonRedisSerializer.fastJsonConfig
EI2 com.alibaba.fastjson.support.spring.PropertyPreFilters.setFilters(List) may expose internal representation by storing an externally mutable object into PropertyPreFilters.filters
EI2 new com.alibaba.fastjson.support.spring.PropertyPreFilters$MySimplePropertyPreFilter(PropertyPreFilters) may expose internal representation by storing an externally mutable object into PropertyPreFilters$MySimplePropertyPreFilter.this$0
EI2 new com.alibaba.fastjson.support.spring.PropertyPreFilters$MySimplePropertyPreFilter(PropertyPreFilters, Class, String[]) may expose internal representation by storing an externally mutable object into PropertyPreFilters$MySimplePropertyPreFilter.this$0
EI2 new com.alibaba.fastjson.support.spring.PropertyPreFilters$MySimplePropertyPreFilter(PropertyPreFilters, String[]) may expose internal representation by storing an externally mutable object into PropertyPreFilters$MySimplePropertyPreFilter.this$0
EI2 com.alibaba.fastjson.support.spring.messaging.MappingFastJsonMessageConverter.setFastJsonConfig(FastJsonConfig) may expose internal representation by storing an externally mutable object into MappingFastJsonMessageConverter.fastJsonConfig
EI2 new com.alibaba.fastjson.util.ParameterizedTypeImpl(Type[], Type, Type) may expose internal representation by storing an externally mutable object into ParameterizedTypeImpl.actualTypeArguments
MC Overridable method init is called from method clone() in class com.alibaba.fastjson.util.AntiCollisionHashMap.
MS com.alibaba.fastjson.JSON.DEFAULT_GENERATE_FEATURE isn't final and cannot be protected from malicious code
MS com.alibaba.fastjson.JSON.DEFAULT_PARSER_FEATURE isn't final and cannot be protected from malicious code
MS com.alibaba.fastjson.JSON.DEFAULT_TYPE_KEY isn't final and cannot be protected from malicious code
MS com.alibaba.fastjson.JSON.DEFFAULT_DATE_FORMAT isn't final but should be
MS com.alibaba.fastjson.JSON.defaultLocale isn't final but should be
MS com.alibaba.fastjson.JSON.defaultTimeZone isn't final but should be
MS com.alibaba.fastjson.JSONPObject.SECURITY_PREFIX isn't final but should be
MS com.alibaba.fastjson.parser.JSONLexerBase.digits should be package protected
MS com.alibaba.fastjson.parser.JSONLexerBase.typeFieldName should be package protected
MS com.alibaba.fastjson.parser.ParserConfig.DENYS should be package protected
MS com.alibaba.fastjson.parser.ParserConfig.DENYS_INTERNAL should be package protected
MS com.alibaba.fastjson.parser.ParserConfig.global isn't final but should be
MS com.alibaba.fastjson.parser.deserializer.MapDeserializer.instance isn't final but should be
MS com.alibaba.fastjson.parser.deserializer.OptionalCodec.instance isn't final but should be
MS com.alibaba.fastjson.serializer.AnnotationSerializer.instance isn't final but should be
MS com.alibaba.fastjson.serializer.EnumerationSerializer.instance isn't final but should be
MS com.alibaba.fastjson.serializer.FloatCodec.instance isn't final but should be
MS com.alibaba.fastjson.serializer.GuavaCodec.instance isn't final but should be
MS com.alibaba.fastjson.serializer.IntegerCodec.instance isn't final but should be
MS com.alibaba.fastjson.serializer.JSONAwareSerializer.instance isn't final but should be
MS com.alibaba.fastjson.serializer.JSONSerializableSerializer.instance isn't final but should be
MS com.alibaba.fastjson.serializer.LongCodec.instance isn't final but should be
MS com.alibaba.fastjson.serializer.MapSerializer.instance isn't final but should be
MS com.alibaba.fastjson.serializer.PrimitiveArraySerializer.instance isn't final but should be
MS com.alibaba.fastjson.serializer.StringCodec.instance isn't final but should be
MS com.alibaba.fastjson.support.jaxrs.FastJsonProvider.DEFAULT_UNREADABLES should be package protected
MS com.alibaba.fastjson.support.jaxrs.FastJsonProvider.DEFAULT_UNWRITABLES should be package protected
MS com.alibaba.fastjson.support.spring.FastJsonpResponseBodyAdvice.DEFAULT_JSONP_QUERY_PARAM_NAMES should be package protected
MS com.alibaba.fastjson.util.Base64.CA should be package protected
MS com.alibaba.fastjson.util.Base64.IA should be package protected
MS com.alibaba.fastjson.util.IOUtils.ASCII_CHARS is a mutable array
MS com.alibaba.fastjson.util.IOUtils.CA is a mutable array
MS com.alibaba.fastjson.util.IOUtils.DIGITS is a mutable array
MS com.alibaba.fastjson.util.IOUtils.firstIdentifierFlags is a mutable array
MS com.alibaba.fastjson.util.IOUtils.identifierFlags is a mutable array
MS com.alibaba.fastjson.util.IOUtils.replaceChars is a mutable array
MS com.alibaba.fastjson.util.IOUtils.specicalFlags_doubleQuotes is a mutable array
MS com.alibaba.fastjson.util.IOUtils.specicalFlags_singleQuotes is a mutable array
MS com.alibaba.fastjson.util.IOUtils.DEFAULT_PROPERTIES is a mutable collection
MS com.alibaba.fastjson.util.IOUtils.IA should be package protected
MS com.alibaba.fastjson.util.IOUtils.specicalFlags_doubleQuotesFlags should be package protected
MS com.alibaba.fastjson.util.IOUtils.specicalFlags_singleQuotesFlags should be package protected
MS com.alibaba.fastjson.util.TypeUtils.castToTimestampFunction isn't final but should be
MS com.alibaba.fastjson.util.TypeUtils.compatibleWithFieldName isn't final but should be refactored to be so
MS com.alibaba.fastjson.util.TypeUtils.compatibleWithJavaBean isn't final but should be refactored to be so
REFLC Public method com.alibaba.fastjson.parser.JSONLexerBase.newCollectionByType(Class) uses reflection to create a class it gets in its parameter which could increase the accessibility of any class
REFLC Public method com.alibaba.fastjson.parser.deserializer.MapDeserializer.createMap(Type, int) uses reflection to create a class it gets in its parameter which could increase the accessibility of any class
REFLC Public method com.alibaba.fastjson.util.TypeUtils.cast(Object, Class, ParserConfig) uses reflection to create a class it gets in its parameter which could increase the accessibility of any class

Multithreaded correctness Warnings

Code Warning
LI Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.oracleDateMethod in com.alibaba.fastjson.util.TypeUtils.castToDate(Object, String)
LI Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.oracleTimestampMethod in com.alibaba.fastjson.util.TypeUtils.castToDate(Object, String)
LI Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.class_ManyToMany in com.alibaba.fastjson.util.TypeUtils.isAnnotationPresentManyToMany(Method)
LI Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.class_OneToMany in com.alibaba.fastjson.util.TypeUtils.isAnnotationPresentOneToMany(Method)
LI Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.method_HibernateIsInitialized in com.alibaba.fastjson.util.TypeUtils.isHibernateInitialized(Object)
LI Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.class_JacksonCreator in com.alibaba.fastjson.util.TypeUtils.isJacksonCreator(Method)
LI Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.pathClass in com.alibaba.fastjson.util.TypeUtils.isPath(Class)
LI Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.OPTIONAL_EMPTY in com.alibaba.fastjson.util.TypeUtils.optionalEmpty(Type)
LI Incorrect lazy initialization and update of static field com.alibaba.fastjson.util.TypeUtils.class_XmlAccessType in com.alibaba.fastjson.util.TypeUtils.isXmlField(Class)
RV Return value of putIfAbsent is ignored, but key is reused in new com.alibaba.fastjson.TypeReference(Type[])
RV Return value of putIfAbsent is ignored, but type is reused in com.alibaba.fastjson.TypeReference.intern(ParameterizedTypeImpl)
RV Return value of putIfAbsent is ignored, but type is reused in new com.alibaba.fastjson.TypeReference()
VO Increment of volatile field com.alibaba.fastjson.util.AntiCollisionHashMap.modCount in com.alibaba.fastjson.util.AntiCollisionHashMap.clear()
VO Increment of volatile field com.alibaba.fastjson.util.AntiCollisionHashMap.modCount in com.alibaba.fastjson.util.AntiCollisionHashMap.put(Object, Object)
VO Increment of volatile field com.alibaba.fastjson.util.AntiCollisionHashMap.modCount in com.alibaba.fastjson.util.AntiCollisionHashMap.putForNullKey(Object)
VO Increment of volatile field com.alibaba.fastjson.util.AntiCollisionHashMap.modCount in com.alibaba.fastjson.util.AntiCollisionHashMap.removeEntryForKey(Object)
VO Increment of volatile field com.alibaba.fastjson.util.AntiCollisionHashMap.modCount in com.alibaba.fastjson.util.AntiCollisionHashMap.removeMapping(Object)

Performance Warnings

Code Warning
Bx com.alibaba.fastjson.JSONPath.compare(Object, Object) invokes inefficient new Long(long) constructor; use Long.valueOf(long) instead
SBSC com.alibaba.fastjson.util.TypeUtils.checkPrimitiveArray(GenericArrayType) concatenates strings using + in a loop
SIC Should com.alibaba.fastjson.support.spring.PropertyPreFilters$MySimplePropertyPreFilter be a _static_ inner class?
UrF Unread field: com.alibaba.fastjson.asm.ClassWriter.thisName
UrF Unread field: com.alibaba.fastjson.support.retrofit.Retrofit2ConverterFactory.featureValues
UrF Unread field: com.alibaba.fastjson.support.retrofit.Retrofit2ConverterFactory.parserConfig
UuF Unused field: com.alibaba.fastjson.asm.ClassWriter.typeTable
UuF Unused field: com.alibaba.fastjson.asm.Label.inputStackTop
UuF Unused field: com.alibaba.fastjson.asm.Label.next
UuF Unused field: com.alibaba.fastjson.asm.Label.outputStackMax
UuF Unused field: com.alibaba.fastjson.asm.Label.successor

Dodgy code Warnings

Code Warning
BC instanceof will always return true for all non-null values in com.alibaba.fastjson.JSONPath.paths(Map, Map, String, Object, SerializeConfig), since all String are instances of String
BC Unchecked/unconfirmed cast from reflect.AccessibleObject to reflect.Constructor in com.alibaba.fastjson.util.ASMUtils.lookupParameterNames(AccessibleObject)
DLS Dead store to val in com.alibaba.fastjson.JSONPath.deepSet(Object, String, long, Object)
IM Check for oddness that won't work for negative numbers in com.alibaba.fastjson.util.RyuFloat.toString(float, char[], int)
NP Load of known null value in com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.deserialze(DefaultJSONParser, Type, Object, Object, int, int[])
RCN Redundant nullcheck of dateFormat, which is known to be non-null in com.alibaba.fastjson.serializer.CalendarCodec.write(JSONSerializer, Object, BeanContext)
RCN Redundant nullcheck of object, which is known to be non-null in com.alibaba.fastjson.serializer.JavaBeanSerializer.write(JSONSerializer, Object, Object, Type, int, boolean)
RCN Redundant nullcheck of com.alibaba.fastjson.util.FieldInfo.method which is known to be null in new com.alibaba.fastjson.util.FieldInfo(String, Class, Class, Type, Field, int, int, int)
RCN Redundant nullcheck of builderClass, which is known to be non-null in com.alibaba.fastjson.util.JavaBeanInfo.build(Class, Type, PropertyNamingStrategy, boolean, boolean, boolean)
REC Exception is caught when Exception is not thrown in com.alibaba.fastjson.JSON.parseObject(byte[], int, int, Charset, Type, ParserConfig, ParseProcess, int, Feature[])
REC Exception is caught when Exception is not thrown in new com.alibaba.fastjson.parser.deserializer.EnumDeserializer(Class)
REC Exception is caught when Exception is not thrown in com.alibaba.fastjson.serializer.JSONObjectCodec.write(JSONSerializer, Object, Object, Type, int)
REC Exception is caught when Exception is not thrown in com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean)
SF Switch statement found in com.alibaba.fastjson.asm.ClassReader.readUTF(int, int, char[]) where default case is missing
ST Write to static field com.alibaba.fastjson.parser.ParserConfig.awtError from instance method com.alibaba.fastjson.parser.ParserConfig.getDeserializer(Class, Type)
ST Write to static field com.alibaba.fastjson.parser.ParserConfig.guavaError from instance method com.alibaba.fastjson.parser.ParserConfig.getDeserializer(Class, Type)
ST Write to static field com.alibaba.fastjson.parser.ParserConfig.jdk8Error from instance method com.alibaba.fastjson.parser.ParserConfig.getDeserializer(Class, Type)
ST Write to static field com.alibaba.fastjson.parser.ParserConfig.jodaError from instance method com.alibaba.fastjson.parser.ParserConfig.getDeserializer(Class, Type)
ST Write to static field com.alibaba.fastjson.serializer.AnnotationSerializer.sun_AnnotationType from instance method com.alibaba.fastjson.serializer.AnnotationSerializer.write(JSONSerializer, Object, Object, Type, int)
ST Write to static field com.alibaba.fastjson.serializer.AnnotationSerializer.sun_AnnotationType_error from instance method com.alibaba.fastjson.serializer.AnnotationSerializer.write(JSONSerializer, Object, Object, Type, int)
ST Write to static field com.alibaba.fastjson.serializer.AnnotationSerializer.sun_AnnotationType_getInstance from instance method com.alibaba.fastjson.serializer.AnnotationSerializer.write(JSONSerializer, Object, Object, Type, int)
ST Write to static field com.alibaba.fastjson.serializer.AnnotationSerializer.sun_AnnotationType_members from instance method com.alibaba.fastjson.serializer.AnnotationSerializer.write(JSONSerializer, Object, Object, Type, int)
ST Write to static field com.alibaba.fastjson.serializer.MiscCodec.method_paths_get from instance method com.alibaba.fastjson.serializer.MiscCodec.deserialze(DefaultJSONParser, Type, Object)
ST Write to static field com.alibaba.fastjson.serializer.MiscCodec.method_paths_get_error from instance method com.alibaba.fastjson.serializer.MiscCodec.deserialze(DefaultJSONParser, Type, Object)
ST Write to static field com.alibaba.fastjson.serializer.SerializeConfig.awtError from instance method com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean)
ST Write to static field com.alibaba.fastjson.serializer.SerializeConfig.guavaError from instance method com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean)
ST Write to static field com.alibaba.fastjson.serializer.SerializeConfig.jdk8Error from instance method com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean)
ST Write to static field com.alibaba.fastjson.serializer.SerializeConfig.jodaError from instance method com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean)
ST Write to static field com.alibaba.fastjson.serializer.SerializeConfig.oracleJdbcError from instance method com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean)
ST Write to static field com.alibaba.fastjson.serializer.SerializeConfig.springfoxError from instance method com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean)
UC Useless condition: it's known that ch == '\\' at this point
UC Useless condition: it's known that predicateFlag == false at this point
UC Useless condition: it's known that this.deep == false at this point
UC Useless object stored in variable typeTable of method com.alibaba.fastjson.asm.ClassReader.readMethod(TypeCollector, char[], int)
UC Useless condition: it's known that rest >= 9 at this point
UC Useless condition: it's known that c < 57344 (0xe000) at this point
UC Useless condition: it's known that c >= 56320 (0xdc00) at this point
UrF Unread public/protected field: com.alibaba.fastjson.support.spring.FastJsonJsonView.charset
UrF Unread public/protected field: com.alibaba.fastjson.support.spring.FastJsonJsonView.features
UrF Unread public/protected field: com.alibaba.fastjson.support.spring.FastJsonJsonView.filters

Details

BC_UNCONFIRMED_CAST: Unchecked/unconfirmed cast

This cast is unchecked, and not all instances of the type cast from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.

BC_VACUOUS_INSTANCEOF: instanceof will always return true

This instanceof test will always return true (unless the value being tested is null). Although this is safe, make sure it isn't an indication of some misunderstanding or some other logic error. If you really want to test the value for being null, perhaps it would be clearer to do better to do a null test rather than an instanceof test.

DM_NUMBER_CTOR: Method invokes inefficient Number constructor; use static valueOf instead

Using new Integer(int) is guaranteed to always result in a new object whereas Integer.valueOf(int) allows caching of values to be done by the compiler, class library, or JVM. Using of cached values avoids object allocation and the code will be faster.

Values between -128 and 127 are guaranteed to have corresponding cached instances and using valueOf is approximately 3.5 times faster than using constructor. For values outside the constant range the performance of both styles is the same.

Unless the class must be compatible with JVMs predating Java 5, use either autoboxing or the valueOf() method when creating instances of Long, Integer, Short, Character, and Byte.

CN_IDIOM_NO_SUPER_CALL: clone method does not call super.clone()

This non-final class defines a clone() method that does not call super.clone(). If this class ("A") is extended by a subclass ("B"), and the subclass B calls super.clone(), then it is likely that B's clone() method will return an object of type A, which violates the standard contract for clone().

If all clone() methods call super.clone(), then they are guaranteed to use Object.clone(), which always returns an object of the correct type.

CT_CONSTRUCTOR_THROW: Be wary of letting constructors throw exceptions.

Classes that throw exceptions in their constructors are vulnerable to Finalizer attacks

A finalizer attack can be prevented, by declaring the class final, using an empty finalizer declared as final, or by a clever use of a private constructor.

See SEI CERT Rule OBJ-11 for more information.

DLS_DEAD_LOCAL_STORE: Dead store to local variable

This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indicates an error, because the value computed is never used.

Note that Sun's javac compiler often generates dead stores for final local variables. Because SpotBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.

DMI_RANDOM_USED_ONLY_ONCE: Random object created and used only once

This code creates a java.util.Random object, uses it to generate one random number, and then discards the Random object. This produces mediocre quality random numbers and is inefficient. If possible, rewrite the code so that the Random object is created once and saved, and each time a new random number is required invoke a method on the existing Random object to obtain it.

If it is important that the generated Random numbers not be guessable, you must not create a new Random for each random number; the values are too easily guessable. You should strongly consider using a java.security.SecureRandom instead (and avoid allocating a new SecureRandom for each random number needed).

DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED: Classloaders should only be created inside doPrivileged block

This code creates a classloader, which needs permission if a security manage is installed. If this code might be invoked by code that does not have security permissions, then the classloader creation needs to occur inside a doPrivileged block.

EI_EXPOSE_REP: May expose internal representation by returning reference to mutable object

Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.

EI_EXPOSE_REP2: May expose internal representation by incorporating reference to mutable object

This code stores a reference to an externally mutable object into the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.

ES_COMPARING_STRINGS_WITH_EQ: Comparison of String objects using == or !=

This code compares java.lang.String objects for reference equality using the == or != operators. Unless both strings are either constants in a source file, or have been interned using the String.intern() method, the same string value may be represented by two different String objects. Consider using the equals(Object) method instead.

ES_COMPARING_PARAMETER_STRING_WITH_EQ: Comparison of String parameter using == or !=

This code compares a java.lang.String parameter for reference equality using the == or != operators. Requiring callers to pass only String constants or interned strings to a method is unnecessarily fragile, and rarely leads to measurable performance gains. Consider using the equals(Object) method instead.

EQ_COMPARETO_USE_OBJECT_EQUALS: Class defines compareTo(...) and uses Object.equals()

This class defines a compareTo(...) method but inherits its equals() method from java.lang.Object. Generally, the value of compareTo should return zero if and only if equals returns true. If this is violated, weird and unpredictable failures will occur in classes such as PriorityQueue. In Java 5 the PriorityQueue.remove method uses the compareTo method, while in Java 6 it uses the equals method.

From the JavaDoc for the compareTo method in the Comparable interface:

It is strongly recommended, but not strictly required that (x.compareTo(y)==0) == (x.equals(y)). Generally speaking, any class that implements the Comparable interface and violates this condition should clearly indicate this fact. The recommended language is "Note: this class has a natural ordering that is inconsistent with equals."

IM_BAD_CHECK_FOR_ODD: Check for oddness that won't work for negative numbers

The code uses x % 2 == 1 to check to see if a value is odd, but this won't work for negative numbers (e.g., (-5) % 2 == -1). If this code is intending to check for oddness, consider using (x & 1) == 1, or x % 2 != 0.

LI_LAZY_INIT_UPDATE_STATIC: Incorrect lazy initialization and update of static field

This method contains an unsynchronized lazy initialization of a static field. After the field is set, the object stored into that location is further updated or accessed. The setting of the field is visible to other threads as soon as it is set. If the further accesses in the method that set the field serve to initialize the object, then you have a very serious multithreading bug, unless something else prevents any other thread from accessing the stored object until it is fully initialized.

Even if you feel confident that the method is never called by multiple threads, it might be better to not set the static field until the value you are setting it to is fully populated/initialized.

LI_LAZY_INIT_STATIC: Incorrect lazy initialization of static field

This method contains an unsynchronized lazy initialization of a non-volatile static field. Because the compiler or processor may reorder instructions, threads are not guaranteed to see a completely initialized object, if the method can be called by multiple threads. You can make the field volatile to correct the problem. For more information, see the Java Memory Model web site.

MC_OVERRIDABLE_METHOD_CALL_IN_CLONE: An overridable method is called from the clone() method.

Calling overridable methods from the clone() method is insecure because a subclass could override the method, affecting the behavior of clone(). It can also observe or modify the clone object in a partially initialized state. Only static, final or private methods should be invoked from the clone() method.

See SEI CERT rule MET06-J. Do not invoke overridable methods in clone().

MS_MUTABLE_ARRAY: Field is a mutable array

A final static field references an array and can be accessed by malicious code or by accident from another package. This code can freely modify the contents of the array.

MS_MUTABLE_COLLECTION: Field is a mutable collection

A mutable collection instance is assigned to a final static field, thus can be changed by malicious code or by accident from another package. Consider wrapping this field into Collections.unmodifiableSet/List/Map/etc. to avoid this vulnerability.

MS_CANNOT_BE_FINAL: Field isn't final and cannot be protected from malicious code

A mutable static field could be changed by malicious code or by accident from another package. Unfortunately, the way the field is used doesn't allow any easy fix to this problem.

MS_SHOULD_BE_FINAL: Field isn't final but should be

This public static or protected static field is not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.

MS_SHOULD_BE_REFACTORED_TO_BE_FINAL: Field isn't final but should be refactored to be so

This public static or protected static field is not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability. However, the static initializer contains more than one write to the field, so doing so will require some refactoring.

MS_PKGPROTECT: Field should be package protected

A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.

NP_LOAD_OF_KNOWN_NULL_VALUE: Load of known null value

The variable referenced at this point is known to be null due to an earlier check against null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different variable, or perhaps the earlier check to see if the variable is null should have been a check to see if it was non-null).

NP_BOOLEAN_RETURN_NULL: Method with Boolean return type returns explicit null

A method that returns either Boolean.TRUE, Boolean.FALSE or null is an accident waiting to happen. This method can be invoked as though it returned a value of type boolean, and the compiler will insert automatic unboxing of the Boolean value. If a null value is returned, this will result in a NullPointerException.

NP_NULL_ON_SOME_PATH: Possible null pointer dereference

There is a branch of statement that, if executed, guarantees that a null value will be dereferenced, which would generate a NullPointerException when the code is executed. Of course, the problem might be that the branch or statement is infeasible and that the null pointer exception cannot ever be executed; deciding that is beyond the ability of SpotBugs.

NP_NULL_ON_SOME_PATH_EXCEPTION: Possible null pointer dereference in method on exception path

A reference value which is null on some exception control path is dereferenced here.  This may lead to a NullPointerException when the code is executed.  Note that because SpotBugs currently does not prune infeasible exception paths, this may be a false warning.

Also note that SpotBugs considers the default case of a switch statement to be an exception path, since the default case is often infeasible.

PA_PUBLIC_PRIMITIVE_ATTRIBUTE: Primitive field is public

SEI CERT rule OBJ01-J requires that accessibility to fields must be limited. Otherwise, the values of the fields may be manipulated from outside the class, which may be unexpected or undesired behaviour. In general, requiring that no fields are allowed to be public is overkill and unrealistic. Even the rule mentions that final fields may be public. Besides final fields, there may be other usages for public fields: some public fields may serve as "flags" that affect the behavior of the class. Such flag fields are expected to be read by the current instance (or the current class, in case of static fields), but written by others. If a field is both written by the methods of the current instance (or the current class, in case of static fields) and from the outside, the code is suspicious. Consider making these fields private and provide appropriate setters, if necessary. Please note that constructors, initializers and finalizers are exceptions, if only they write the field inside the class, the field is not considered as written by the class itself.

RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN: Suspicious reference comparison of Boolean values

This method compares two Boolean values using the == or != operator. Normally, there are only two Boolean values (Boolean.TRUE and Boolean.FALSE), but it is possible to create other Boolean objects using the new Boolean(b) constructor. It is best to avoid such objects, but if they do exist, then checking Boolean objects for equality using == or != will give results than are different than you would get using .equals(...).

RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE: Nullcheck of value previously dereferenced

A value is checked here to see whether it is null, but this value cannot be null because it was previously dereferenced and if it were null a null pointer exception would have occurred at the earlier dereference. Essentially, this code and the previous dereference disagree as to whether this value is allowed to be null. Either the check is redundant or the previous dereference is erroneous.

RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE: Redundant nullcheck of value known to be non-null

This method contains a redundant check of a known non-null value against the constant null.

RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE: Redundant nullcheck of value known to be null

This method contains a redundant check of a known null value against the constant null.

REC_CATCH_EXCEPTION: Exception is caught when Exception is not thrown

This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching a number of types of exception each of whose catch blocks is identical, but this construct also accidentally catches RuntimeException as well, masking potential bugs.

A better approach is to either explicitly catch the specific exceptions that are thrown, or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime Exceptions, as shown below:

try {
    ...
} catch (RuntimeException e) {
    throw e;
} catch (Exception e) {
    ... deal with all non-runtime exceptions ...
}

REFLC_REFLECTION_MAY_INCREASE_ACCESSIBILITY_OF_CLASS: Public method uses reflection to create a class it gets in its parameter which could increase the accessibility of any class

SEI CERT SEC05-J rule forbids the use of reflection to increase accessibility of classes, methods or fields. If a class in a package provides a public method which takes an instance of java.lang.Class as its parameter and calls its newInstance() method then it increases accessibility of classes in the same package without public constructors. An attacker code may call this method and pass such class to create an instance of it. This should be avoided by either making the method non-public or by checking for package access permission on the package. A third possibility is to use the java.beans.Beans.instantiate() method instead of java.lang.Class.newInstance() which checks whether the Class object being received has any public constructors.

RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED: Return value of putIfAbsent ignored, value passed to putIfAbsent reused

The putIfAbsent method is typically used to ensure that a single value is associated with a given key (the first value for which put if absent succeeds). If you ignore the return value and retain a reference to the value passed in, you run the risk of retaining a value that is not the one that is associated with the key in the map. If it matters which one you use and you use the one that isn't stored in the map, your program will behave incorrectly.

RpC_REPEATED_CONDITIONAL_TEST: Repeated conditional tests

The code contains a conditional test is performed twice, one right after the other (e.g., x == 0 || x == 0). Perhaps the second occurrence is intended to be something else (e.g., x == 0 || y == 0).

SBSC_USE_STRINGBUFFER_CONCATENATION: Method concatenates strings using + in a loop

The method seems to be building a String using concatenation in a loop. In each iteration, the String is converted to a StringBuffer/StringBuilder, appended to, and converted back to a String. This can lead to a cost quadratic in the number of iterations, as the growing string is recopied in each iteration.

Better performance can be obtained by using a StringBuffer (or StringBuilder in Java 5) explicitly.

For example:

// This is bad
String s = "";
for (int i = 0; i < field.length; ++i) {
    s = s + field[i];
}

// This is better
StringBuffer buf = new StringBuffer();
for (int i = 0; i < field.length; ++i) {
    buf.append(field[i]);
}
String s = buf.toString();

SF_SWITCH_NO_DEFAULT: Switch statement found where default case is missing

This method contains a switch statement where default case is missing. Usually you need to provide a default case.

Because the analysis only looks at the generated bytecode, this warning can be incorrect triggered if the default case is at the end of the switch statement and the switch statement doesn't contain break statements for other cases.

SIC_INNER_SHOULD_BE_STATIC: Should be a static inner class

This class is an inner class, but does not use its embedded reference to the object which created it.  This reference makes the instances of the class larger, and may keep the reference to the creator object alive longer than necessary.  If possible, the class should be made static.

ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD: Write to static field from instance method

This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.

SE_COMPARATOR_SHOULD_BE_SERIALIZABLE: Comparator doesn't implement Serializable

This class implements the Comparator interface. You should consider whether or not it should also implement the Serializable interface. If a comparator is used to construct an ordered collection such as a TreeMap, then the TreeMap will be serializable only if the comparator is also serializable. As most comparators have little or no state, making them serializable is generally easy and good defensive programming.

UC_USELESS_CONDITION: Condition has no effect

This condition always produces the same result as the value of the involved variable that was narrowed before. Probably something else was meant or the condition can be removed.

UC_USELESS_OBJECT: Useless object created

Our analysis shows that this object is useless. It's created and modified, but its value never go outside of the method or produce any side-effect. Either there is a mistake and object was intended to be used or it can be removed.

This analysis rarely produces false-positives. Common false-positive cases include:

- This object used to implicitly throw some obscure exception.

- This object used as a stub to generalize the code.

- This object used to hold strong references to weak/soft-referenced objects.

DMI_INVOKING_TOSTRING_ON_ARRAY: Invocation of toString on an array

The code invokes toString on an array, which will generate a fairly useless result such as [C@16f0472. Consider using Arrays.toString to convert the array into a readable String that gives the contents of the array. See Programming Puzzlers, chapter 3, puzzle 12.

URF_UNREAD_FIELD: Unread field

This field is never read.  Consider removing it from the class.

URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD: Unread public/protected field

This field is never read.  The field is public or protected, so perhaps it is intended to be used with classes not seen as part of the analysis. If not, consider removing it from the class.

UUF_UNUSED_FIELD: Unused field

This field is never used.  Consider removing it from the class.

VO_VOLATILE_INCREMENT: An increment to a volatile field isn't atomic

This code increments/decrements a volatile field. Increments/Decrements of volatile fields aren't atomic. If more than one thread is incrementing/decrementing the field at the same time, increments/decrements could be lost.